[Snort-users] Only *nix alerts?

Erek Adams erek at ...950...
Sun Apr 6 13:34:03 EDT 2003


On Sun, 6 Apr 2003, Keg wrote:

> Snort 1.9.1 on RH8
> I scan network segment protected with Snort using Nessus. I actually
> have scanned only 2 boxes on that network - one Linux box and one NT box.
> The alerts I see in Snort are almost all unix-related-namely: squid
> proxy attempt, scan proxy attempt 8080, tftp get password, snmp get
> alerts, ASF access, amanda version request, DDOS mstream, xdmp query,
> samba client access, etc
> I don't see any windows-related alerts, which should be produced in tons
> by nessus scanning., cause it runs a lot of windows-related test vuln
> scripts.
> Question:
> 1. Why I don't see windows-related alerts, any ideas?

Lots of reasons, but none related to the OS.

	*  You're on a switched network, and Snort is running on the
Linux box.  Unless the port is configed as a monitoring port, you'll never
see anything destined for the other box.
	*  You're using a 'auto sensing hub'.  If you're using a 10/100
autosensing hub, then you've got one box at 10mb and the other at 100mb.
Those autosensing hubs have two 'sides'--One for 10mbs and one for 100mbs.
It keeps 100mb traffic on it's side, and keeps 10mbs traffic on it's side.

> 2. Generally speaking, nessus runs more than 1000 different scripts for
> vuln tests, should I see the similar number of UNIQUE alerts in snort?
> In my understanding, snort should be aware of the most atack attemts or
> queries nessus produces...

Not necessarily.  Due to the way that rules work, if a three way handshake
isn't established it won't alert.  Check the rules and find what rules you
are expecting to fire.  Check them for 'flow: established, to_server'.  I
bet you'll find that on quite a few of them.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list